Solved: How do I locate the latest event and have all the ...

smaloney99 · ‎06-11-2016

I am using the following query to locate the latest event with the field EVENTREF = 50184 or 50185. I believe the correct event is being returned by the stats command but it is not returning all the fields in the returned event for reporting purposes.

Any suggestions?

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent by TVMREF

richgalloway · ‎06-11-2016

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎06-11-2016

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF

---
If this reply helps you, Karma would be appreciated.

smaloney99 · ‎06-11-2016

Thank you! Using 'values' for any field I'd like to access is doing the trick.

richgalloway · ‎06-13-2016

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

How do I locate the latest event and have all the fields in that event available to me?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All